This document summarizes a workshop on building a self-documenting compliant application using Conjur and Chef. The workshop consists of several parts: (1) an introduction to DevOps and compliance; (2) an overview of Chef secrets management; (3) a practicum building a sample app; (4) a discussion of compliance, Chef best practices, and traceability/auditability; and (5) a wrap up. The goals of the workshop are for attendees to have a deeper understanding of how compliance, access to the Chef server, and secrets management are interrelated and how to implement a delivery pipeline that combines these topics in a self-documenting and automated fashion.
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
This is a presentation originally from ChefConf 2015. It includes an introduction to Conjur, a general discussion of delivering compliant workflows and business processes using Chef, a discussion of secrets management and SSH management using Chef and Conjur, and a full hands-on workshop using these tools. At the end of the workshop, participants had learned how to build a self-documenting application pipeline using Conjur and Chef, and how to work with their organization to make this process clear and transparent to security and compliance stakholders.
Bio IT World 2015 - DevOps Security and TransparencyKevin Gilpin
As more companies adopt DevOps programs and build new infrastructure, the quantity and sensitivity of data being processed outside of the traditional IT stack are growing. Few organizations know where the access points into this information are, or how to secure them. We outline best practices for establishing visibility and control in this new space, drawing real-world examples from environments large and small.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
Docker "Global Mentor Week" is your opportunity to #learndocker. to learn how to build, ship, and run modern distributed applications with ease. thanks to the Docker platform.
Right now, Docker has developed out a series of self-paced online labs that will be available during the meetup. Docker’s meetup groups worldwide are hosting a series of complimentary events to help newcomers and intermediate users learn Docker.
We'll have hands-on labs for both beginners and intermediate users, labs targeting both developers and operations. There is something for everyone. Docker mentor will be on hand at this event to help you prepare. and work through the self-paced materials. Bring your laptop, have fun and learn Docker!
AWS user group meetup container series DXB Dubai
n this session, we will explore the popular workload manager and scheduler Kubernetes. Amazon managed kubernetes service, Elastic Container Service for Kubernetes (Amazon EKS) takes care of the heavy-lifting and lets one focus on managing the containerized workloads. EKS, however, still gives you the flexibility and choice where to run, and how to efficiently run your data-plane that hosts your workloads. In this session, we cover what you need to know to get your application up and running with Kubernetes on AWS. We show how Amazon EKS makes deploying Kubernetes on AWS simple and scalable.
⏳ Agenda
1- Review the general Kubernetes architecture and relate to EKS
2- How to set up and provision your Kubernetes cluster using console and eksctl.
3- Discuss the important abstractions that developers use to map their traditional application into any kubernetes platform.
4- How to deploy software efficiently, while sustaining reliable and scalable applications.
5- Deploy your first microservices on EKS
6- EKS possible development deployment workflow
This document discusses Continuous Integration/Continuous Delivery (CICD) with Jenkins. It begins with an introduction to how developing and releasing software can be complicated. It then provides an overview of CICD, including that continuous integration verifies new changes through testing, continuous delivery enables continuous deployment to production, and continuous deployment automatically deploys all passed changes. The document discusses how Jenkins is an open-source automation server that helps automate the software development process for CICD. It concludes with best practices for Jenkins, such as high availability, sizing Jenkins machines appropriately, and organizing pipelines and jobs.
OpenShift pour le developpement cloud native - 20171214Laurent Broudoux
Talk donné au Cloud Workshop Azure - Red Hat & Microsoft, le 14/12/2017. Découvrez comment la plateforme OpenShift de Red Hat permet de faciliter le développement, le déploiement et le monitoring d'applications Cloud Native !
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
Today, running applications in the cloud is a must-have. But that doesn’t mean it’s risk-free. In this webinar, CircleCI and xMatters will discuss security issues in the application lifecycle, and demo solutions so your team can be confident you’re deploying safely and securely. Join to understand:
Common risks and vulnerabilities in cloud deployments
Patterns and best practices for ease of testing and deployment management
How CircleCi and xMatters make deploying to cloud (especially multi-cloud environments) safer and more secure
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
This is a presentation originally from ChefConf 2015. It includes an introduction to Conjur, a general discussion of delivering compliant workflows and business processes using Chef, a discussion of secrets management and SSH management using Chef and Conjur, and a full hands-on workshop using these tools. At the end of the workshop, participants had learned how to build a self-documenting application pipeline using Conjur and Chef, and how to work with their organization to make this process clear and transparent to security and compliance stakholders.
Bio IT World 2015 - DevOps Security and TransparencyKevin Gilpin
As more companies adopt DevOps programs and build new infrastructure, the quantity and sensitivity of data being processed outside of the traditional IT stack are growing. Few organizations know where the access points into this information are, or how to secure them. We outline best practices for establishing visibility and control in this new space, drawing real-world examples from environments large and small.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
Docker "Global Mentor Week" is your opportunity to #learndocker. to learn how to build, ship, and run modern distributed applications with ease. thanks to the Docker platform.
Right now, Docker has developed out a series of self-paced online labs that will be available during the meetup. Docker’s meetup groups worldwide are hosting a series of complimentary events to help newcomers and intermediate users learn Docker.
We'll have hands-on labs for both beginners and intermediate users, labs targeting both developers and operations. There is something for everyone. Docker mentor will be on hand at this event to help you prepare. and work through the self-paced materials. Bring your laptop, have fun and learn Docker!
AWS user group meetup container series DXB Dubai
n this session, we will explore the popular workload manager and scheduler Kubernetes. Amazon managed kubernetes service, Elastic Container Service for Kubernetes (Amazon EKS) takes care of the heavy-lifting and lets one focus on managing the containerized workloads. EKS, however, still gives you the flexibility and choice where to run, and how to efficiently run your data-plane that hosts your workloads. In this session, we cover what you need to know to get your application up and running with Kubernetes on AWS. We show how Amazon EKS makes deploying Kubernetes on AWS simple and scalable.
⏳ Agenda
1- Review the general Kubernetes architecture and relate to EKS
2- How to set up and provision your Kubernetes cluster using console and eksctl.
3- Discuss the important abstractions that developers use to map their traditional application into any kubernetes platform.
4- How to deploy software efficiently, while sustaining reliable and scalable applications.
5- Deploy your first microservices on EKS
6- EKS possible development deployment workflow
This document discusses Continuous Integration/Continuous Delivery (CICD) with Jenkins. It begins with an introduction to how developing and releasing software can be complicated. It then provides an overview of CICD, including that continuous integration verifies new changes through testing, continuous delivery enables continuous deployment to production, and continuous deployment automatically deploys all passed changes. The document discusses how Jenkins is an open-source automation server that helps automate the software development process for CICD. It concludes with best practices for Jenkins, such as high availability, sizing Jenkins machines appropriately, and organizing pipelines and jobs.
OpenShift pour le developpement cloud native - 20171214Laurent Broudoux
Talk donné au Cloud Workshop Azure - Red Hat & Microsoft, le 14/12/2017. Découvrez comment la plateforme OpenShift de Red Hat permet de faciliter le développement, le déploiement et le monitoring d'applications Cloud Native !
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
Today, running applications in the cloud is a must-have. But that doesn’t mean it’s risk-free. In this webinar, CircleCI and xMatters will discuss security issues in the application lifecycle, and demo solutions so your team can be confident you’re deploying safely and securely. Join to understand:
Common risks and vulnerabilities in cloud deployments
Patterns and best practices for ease of testing and deployment management
How CircleCi and xMatters make deploying to cloud (especially multi-cloud environments) safer and more secure
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
Conference session from Oracle Code One San Francisco 2018 - In the brave new world of microservices, the need for polyglot solutions is growing, making it harder to standardize continuous delivery pipelines across many different languages and runtimes. Tasks like compiling, packaging, profiling or verifying software components, are now more diverse and our toolbelt as developers does not cease to grow. Thankfully, there are ways to prescribe and standardize without losing freedom and flexibility. In this talk we will showcase. from a very pragmatic and hands-on point of view, an architectural approach based on real-world project experiences, unleashing the power of Jenkins, Jenkinsfile declarative pipelines, Jenkins libraries, Docker and Kubernetes as the universal runtime platform, for continuously delivering polyglot components at ease.
GitHub Gone Wrong - Lessons learned from organic open sourceAll Things Open
Presented by: Charles Eckel
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: Creating a GitHub organization with public repos is free, fast, and easy. This fosters a wild west of GitHub usage within corporations that is as confusing and troubling as it is liberating and empowering. We explore how GitHub has been used organically throughout Cisco and efforts to establish best practices that enable efficient open source collaboration that is responsible and sustainable.
The document discusses developing curator tool wizards for GRIN-Global. It provides an agenda that includes general aspects of wizards, the GRIN-Global platform architecture for the curator tool and wizards, how to create and deploy a new wizard, and panels for wizards in the curator tool. It also discusses license terms, downloading and running the curator tool source code, CIP wizards, requirements for creating GRIN-Global wizards, and how to create a welcome and list comparison wizard.
- Docker celebrated its 5th birthday with events worldwide including one in Cluj, Romania. Over 100 user and customer events were held.
- The Docker platform now has over 450 commercial customers, 37 billion container downloads, and 15,000 Docker-related jobs on LinkedIn.
- The event in Cluj included presentations on Docker and hands-on labs to learn Docker, as well as social activities like taking selfies with a birthday banner.
GitLab is a popular DevOps platform that provides an ecosystem for code management, release management, and continuous integration and delivery (CI/CD) pipelines. This document discusses implementing DevOps using the GitLab ecosystem, including its tools, branching strategies, and designing a GitLab-based DevOps implementation. It provides an overview of the key GitLab tools and interfaces for users, and describes best practices for areas like source code management, continuous integration, monitoring, and security.
Vandana Verma is a cybersecurity expert who specializes in DevSecOps. She serves on the OWASP Global Board of Directors as Vice-Chair and is a member of several security review boards. Her work focuses on diversity initiatives in information security. She advocates for integrating security practices throughout the entire software development lifecycle from coding to deployment. This includes having developers take ownership of security and empowering them with tools and processes to build more secure applications within their existing workflows.
This document discusses DevSecOps principles for banks and financial institutions. It introduces DevSecOps as an evolution from DevOps that incorporates security practices like risk assessments, security testing, and compliance monitoring directly into the development lifecycle. The presentation outlines key DevSecOps principles like establishing security requirements upfront, implementing controls like access management and logging, and conducting continuous security testing. It provides an example of a Swiss bank that uses Kubernetes, Docker, and security tools from VSHN to operationalize DevSecOps and improve governance.
DevOps and Continuous Delivery Reference Architectures - Volume 2Sonatype
CONTINUOUS DELIVERY REFERENCE ARCHITECTURES Including Sonatype Nexus and other popular DevOps tools Derek E. Weeks (@weekstweets) VP and DevOps Advocate Sonatype.
Continuous Delivery and DevOps Reference Architectures include many common tool choices. The most common tool choices we find in these reference architectures are: Eclipse, git, Cloudbees Jenkins / Atlassian Bamboo, Sonatype Nexus, Atlassian JIRA, SonarQube, Puppet, Chef, Rundeck, Maven / Ant / Gradle, Subversion (svn), Junit, LiveRebel, ServiceNow
This document discusses OpenDaylight documentation. It provides an overview of OpenDaylight, an open source SDN project. It describes the OpenDaylight documentation workflow using tools like AsciiDoc, Git and Gerrit. It also explains the process for joining the OpenDaylight documentation community and contributing documentation changes.
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.
Clemente Biondo, Engineering Ingegneria Informatica -
When the COVID 19 pandemic started, Engineering Ingegneria Informatica Group (1.25 billion euros of revenues, 65 offices around the world, 12.000 employees) was forced to put their digital transformation to the test in order to maintain operational continuity. In this session, Clemente Biondo, the Tech Lead of the Information Systems Department, will share how his company is reacting to this unforeseeable scenario and how Docker-driven digital transformation had paved the path for work to continue remotely. Clemente will discuss learnings moving from colocated teams, manual approaches, email based-business processes, and a monolithic application to a mature DevOps culture characterized by a distributed autonomous workforce and a continuous deployment process that deploys backward-compatible Docker containerized microservices into hybrid multi cloud datacenters an average of twice a day with zero-downtime. He will detail how they use Docker to unify dev, test and production environments, and as an efficient and automated mechanism for deploying applications. Lastly, Clemente shares how, in our darkest hour, he and others are working to shine their brightest light.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
DevOps World | Jenkins World 2019 "Thinking about Jenkins Security" presentation by Mark Waite, Wadeck Follonier and Meg McRoberts. Reviews Jenkins security concepts, common pitfalls, and the techniques to avoid those common pitfalls.
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
This document discusses implementing DevSecOps practices for small teams and organizations. It begins by noting that while DevOps is widely adopted, DevSecOps practices are less well-known and implemented. It then outlines some common security issues seen at clients and provides demos of implementing quick security wins through the DevOps cycle like enabling code scanning and ensuring secure code, runtimes, and monitoring. The document advocates starting small with security and integrating practices throughout the development lifecycle.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
SpringOne Platform 2019
Building a DevSecOps Pipeline Around Your Spring Boot Application
Speaker: Hayley Denbraver, Developer Advocate, Snyk
YouTube: https://youtu.be/CtQ2KZ4aMnQ
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CloudBees
Delivering value to the business faster thanks to Continuous Delivery and DevOps is the new mantra of IT organizations. In this webinar, CloudBees will discuss how Jenkins, the most popular open source Continuous Integration tool, allows DevOps teams to implement Continuous Delivery.
You will learn how to:
* Orchestrate Continuous Delivery pipelines with the new workflow feature,
* Scale Jenkins horizontally in your organization using Jenkins Operations Center by CloudBees,
* Implement end to end traceability with Jenkins and Puppet and Chef.
http://devops.com/news/ci-and-cd-across-enterprise-jenkins/
https://github.com/CloudBees-community/vagrant-puppet-petclinic
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
This document provides information on top DevOps solution providers. It discusses the services offered by CloudBees, CloudHesive, Plutora, XenonStack, OpenMake Software, Cloudmunch, and Shippable. The services include continuous integration, continuous delivery, infrastructure automation, release management, and DevOps consulting. Pricing models vary between free trials, pay-per-use, and monthly subscriptions. The document aims to help users choose a DevOps solution that best fits their needs and budget.
CI - A Refactor Story - Boston DevOps Meetup March 2015Kevin Gilpin
I brief slide sequence about refactoring a monolithic Jenkins CI system into independent components: Foundation image, Build, Verify, Secrets, SSH, Workflow, Linked dependencies, Artifact “push” (deployment), Audit, and Notifications.
The document discusses best practices for managing secrets using a secrets server and Puppet. It recommends defining access policies, checking secrets into source control, creating "host factories" to provision machines, increasing deployment velocity, and integrating the secrets server with the DevOps toolchain. It then provides an example of obtaining secrets directly on nodes with Puppet by encrypting secrets in Hiera.
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
Conference session from Oracle Code One San Francisco 2018 - In the brave new world of microservices, the need for polyglot solutions is growing, making it harder to standardize continuous delivery pipelines across many different languages and runtimes. Tasks like compiling, packaging, profiling or verifying software components, are now more diverse and our toolbelt as developers does not cease to grow. Thankfully, there are ways to prescribe and standardize without losing freedom and flexibility. In this talk we will showcase. from a very pragmatic and hands-on point of view, an architectural approach based on real-world project experiences, unleashing the power of Jenkins, Jenkinsfile declarative pipelines, Jenkins libraries, Docker and Kubernetes as the universal runtime platform, for continuously delivering polyglot components at ease.
GitHub Gone Wrong - Lessons learned from organic open sourceAll Things Open
Presented by: Charles Eckel
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: Creating a GitHub organization with public repos is free, fast, and easy. This fosters a wild west of GitHub usage within corporations that is as confusing and troubling as it is liberating and empowering. We explore how GitHub has been used organically throughout Cisco and efforts to establish best practices that enable efficient open source collaboration that is responsible and sustainable.
The document discusses developing curator tool wizards for GRIN-Global. It provides an agenda that includes general aspects of wizards, the GRIN-Global platform architecture for the curator tool and wizards, how to create and deploy a new wizard, and panels for wizards in the curator tool. It also discusses license terms, downloading and running the curator tool source code, CIP wizards, requirements for creating GRIN-Global wizards, and how to create a welcome and list comparison wizard.
- Docker celebrated its 5th birthday with events worldwide including one in Cluj, Romania. Over 100 user and customer events were held.
- The Docker platform now has over 450 commercial customers, 37 billion container downloads, and 15,000 Docker-related jobs on LinkedIn.
- The event in Cluj included presentations on Docker and hands-on labs to learn Docker, as well as social activities like taking selfies with a birthday banner.
GitLab is a popular DevOps platform that provides an ecosystem for code management, release management, and continuous integration and delivery (CI/CD) pipelines. This document discusses implementing DevOps using the GitLab ecosystem, including its tools, branching strategies, and designing a GitLab-based DevOps implementation. It provides an overview of the key GitLab tools and interfaces for users, and describes best practices for areas like source code management, continuous integration, monitoring, and security.
Vandana Verma is a cybersecurity expert who specializes in DevSecOps. She serves on the OWASP Global Board of Directors as Vice-Chair and is a member of several security review boards. Her work focuses on diversity initiatives in information security. She advocates for integrating security practices throughout the entire software development lifecycle from coding to deployment. This includes having developers take ownership of security and empowering them with tools and processes to build more secure applications within their existing workflows.
This document discusses DevSecOps principles for banks and financial institutions. It introduces DevSecOps as an evolution from DevOps that incorporates security practices like risk assessments, security testing, and compliance monitoring directly into the development lifecycle. The presentation outlines key DevSecOps principles like establishing security requirements upfront, implementing controls like access management and logging, and conducting continuous security testing. It provides an example of a Swiss bank that uses Kubernetes, Docker, and security tools from VSHN to operationalize DevSecOps and improve governance.
DevOps and Continuous Delivery Reference Architectures - Volume 2Sonatype
CONTINUOUS DELIVERY REFERENCE ARCHITECTURES Including Sonatype Nexus and other popular DevOps tools Derek E. Weeks (@weekstweets) VP and DevOps Advocate Sonatype.
Continuous Delivery and DevOps Reference Architectures include many common tool choices. The most common tool choices we find in these reference architectures are: Eclipse, git, Cloudbees Jenkins / Atlassian Bamboo, Sonatype Nexus, Atlassian JIRA, SonarQube, Puppet, Chef, Rundeck, Maven / Ant / Gradle, Subversion (svn), Junit, LiveRebel, ServiceNow
This document discusses OpenDaylight documentation. It provides an overview of OpenDaylight, an open source SDN project. It describes the OpenDaylight documentation workflow using tools like AsciiDoc, Git and Gerrit. It also explains the process for joining the OpenDaylight documentation community and contributing documentation changes.
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.
Clemente Biondo, Engineering Ingegneria Informatica -
When the COVID 19 pandemic started, Engineering Ingegneria Informatica Group (1.25 billion euros of revenues, 65 offices around the world, 12.000 employees) was forced to put their digital transformation to the test in order to maintain operational continuity. In this session, Clemente Biondo, the Tech Lead of the Information Systems Department, will share how his company is reacting to this unforeseeable scenario and how Docker-driven digital transformation had paved the path for work to continue remotely. Clemente will discuss learnings moving from colocated teams, manual approaches, email based-business processes, and a monolithic application to a mature DevOps culture characterized by a distributed autonomous workforce and a continuous deployment process that deploys backward-compatible Docker containerized microservices into hybrid multi cloud datacenters an average of twice a day with zero-downtime. He will detail how they use Docker to unify dev, test and production environments, and as an efficient and automated mechanism for deploying applications. Lastly, Clemente shares how, in our darkest hour, he and others are working to shine their brightest light.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
DevOps World | Jenkins World 2019 "Thinking about Jenkins Security" presentation by Mark Waite, Wadeck Follonier and Meg McRoberts. Reviews Jenkins security concepts, common pitfalls, and the techniques to avoid those common pitfalls.
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
This document discusses implementing DevSecOps practices for small teams and organizations. It begins by noting that while DevOps is widely adopted, DevSecOps practices are less well-known and implemented. It then outlines some common security issues seen at clients and provides demos of implementing quick security wins through the DevOps cycle like enabling code scanning and ensuring secure code, runtimes, and monitoring. The document advocates starting small with security and integrating practices throughout the development lifecycle.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
SpringOne Platform 2019
Building a DevSecOps Pipeline Around Your Spring Boot Application
Speaker: Hayley Denbraver, Developer Advocate, Snyk
YouTube: https://youtu.be/CtQ2KZ4aMnQ
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CloudBees
Delivering value to the business faster thanks to Continuous Delivery and DevOps is the new mantra of IT organizations. In this webinar, CloudBees will discuss how Jenkins, the most popular open source Continuous Integration tool, allows DevOps teams to implement Continuous Delivery.
You will learn how to:
* Orchestrate Continuous Delivery pipelines with the new workflow feature,
* Scale Jenkins horizontally in your organization using Jenkins Operations Center by CloudBees,
* Implement end to end traceability with Jenkins and Puppet and Chef.
http://devops.com/news/ci-and-cd-across-enterprise-jenkins/
https://github.com/CloudBees-community/vagrant-puppet-petclinic
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
This document provides information on top DevOps solution providers. It discusses the services offered by CloudBees, CloudHesive, Plutora, XenonStack, OpenMake Software, Cloudmunch, and Shippable. The services include continuous integration, continuous delivery, infrastructure automation, release management, and DevOps consulting. Pricing models vary between free trials, pay-per-use, and monthly subscriptions. The document aims to help users choose a DevOps solution that best fits their needs and budget.
CI - A Refactor Story - Boston DevOps Meetup March 2015Kevin Gilpin
I brief slide sequence about refactoring a monolithic Jenkins CI system into independent components: Foundation image, Build, Verify, Secrets, SSH, Workflow, Linked dependencies, Artifact “push” (deployment), Audit, and Notifications.
The document discusses best practices for managing secrets using a secrets server and Puppet. It recommends defining access policies, checking secrets into source control, creating "host factories" to provision machines, increasing deployment velocity, and integrating the secrets server with the DevOps toolchain. It then provides an example of obtaining secrets directly on nodes with Puppet by encrypting secrets in Hiera.
Q Con New York 2015 Presentation - Conjurconjur_inc
This document discusses securing containers and microservices using a software-defined firewall (SDF) approach. It introduces the SDF pattern which uses gatekeeper and forwarder containers to validate and route traffic. The SDF ensures only authorized communication between containers. It also discusses embedding credentials during deployment using a host factory. Open source projects like Conjur and Summon can provide secrets and integrate with automation tools for continuous and secure deployment of containers.
This floor plan diagram shows the layout of the Moscone Convention Center in San Francisco. It details the various halls, meeting rooms, lobbies, and other facilities. Key features are labeled, including exits, restrooms, storage areas, seating areas, and the locations of individual exhibit booths numbered from 100 to 2746. Dimensions of ceilings, aisles, and other spaces are provided. Target dates and times for move-in of exhibits are listed. A disclaimer notes that all dimensions should be verified on site.
This document discusses integrating security into modern development workflows. It begins by introducing the presenter and stating what topics will and will not be covered. Examples are then provided of how different user personas such as developers, operations staff, security teams, and business users can have their workflows negatively impacted when secrets are not properly managed. The talk suggests creating a cross-functional security UX team and provides recommendations to avoid issues like credential rotation schemes that require redeploys or cloud-specific solutions.
Zero trust server management - lightningKevin Gilpin
The document discusses zero-trust server management as an alternative to traditional server access management using Active Directory and VPN. Zero-trust involves dividing systems into sub-systems with least privilege access for all users, machines, and code. It also recommends using public key authentication and bastion hosts to create security zones for access to servers rather than relying on Active Directory in cloud environments.
The 5 Stages of Secrets Management Grief, And How to Prevail Bryan Sterling
The document discusses the 5 stages of secrets management grief: denial, anger, bargaining, depression, and acceptance. It then provides examples of approaches organizations can take to securely manage secrets when using configuration management tools like Puppet, including storing secrets in source control versus alternative approaches. It emphasizes the importance of involving information security teams and considering both "masterful" and "masterless" options. The document recommends resources for further learning on tools that can help, like Conjur and Summon, and calls readers to evaluate their own organization's secrets management approach.
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
Slides from Jeff Mitchell's talk "Hiding in Plain Sight: Managing Secrets in a Container Environment" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#secrets
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
This document discusses SecDevOps 2.0, which involves managing secrets and access for DevOps environments through a security orchestration system called Cauldron. Cauldron uses a concept called "continuous secrets delivery" to securely provide secrets to applications and services through a pluggable interface. It aims to improve on the current state of SecDevOps 1.0 by providing high availability, role-based access control, and encryption across cloud and hybrid architectures. The document also covers hiring processes at Conjur and how to get involved with their open source Cauldron project.
1. The document discusses secrets management in automation workflows and how Rundeck solutions can help with key storage and integration with secrets providers.
2. It describes how Rundeck provides built-in key storage and plugins that allow integration with popular secrets managers to securely provision, access, and revoke secrets in automation jobs and workflows.
3. The presentation includes a demo of configuring secrets in Rundeck jobs using both the built-in key storage and an integration with Thycotic secrets manager.
Learn how Github analytics can help you gauge the health of your DevOps release cycle, gain visibility into team productivity, and secure your intellectual property.
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...DevOps.com
This document provides an overview of a webinar on integrating OpenShift and Conjur for DevOps. It discusses containers and Kubernetes, and how they are not enough on their own for DevOps without additional components like networking, image registries, metrics/logging, deployment automation, application lifecycles, services, and self-service portals. It then outlines how OpenShift addresses these needs and how Conjur can integrate to provide secrets management and access control when using OpenShift for DevOps. The integration goals, components, deployment within OpenShift, and detailed flow are described to securely provide secrets to applications in a scalable and robust manner.
Technology is transforming how the world operates thanks to cloud, mobile, social business and big data being key catalysts to innovation. While each of these stands on their own, they enable the others at the same time. But to innovate at the speed of business, you need to deliver the software that drives it. That is where DevOps come in. DevOps enables organizations to maximize their ability to leverage these technologies for innovation. This webinar will focus on Cloud and DevOps, describing how IBM's DevOps solution helps organizations maximize their ability to drive software innovation by leveraging the flexibility, scalability and services offered by a Cloud Computing solution. We will discuss the benefits of using Cloud across the software delivery lifecycle including development, testing, and operations and how that lifecycle can be maximized with DevOps. We will introduce integrations between IBM UrbanCode Deploy and IBM Cloud offerings highlighting the value they can bring to your organization through the integration and automation of provisioning and deployment capabilities.
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree AnikeyRoy
Mindtree's DevOps service helps clients build an in-house DevOps model platforms within an organisation using open-source DevOps tools. Click here to know more.
Here Be Dragons: Security Maps of the Container New WorldC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1KjxPiO.
Josh Bregman explores some of the unique security challenges created by both the development workflow and application runtime, explains why and how the current approaches in SecDevOps 1.0 are insufficient, and how SecDevOps 2.0 techniques including Software Defined Firewalls (SDF) provide a promising path forward for all parties involved. Filmed at qconnewyork.com.
Josh Bregman is Information Security Architect and Executive Vice President for Technical Sales at Conjur Inc.
This document discusses how DevOps practices can sometimes break traditional security and compliance practices, and proposes an approach called SecDevOps 2.0 to better integrate the two. It outlines how SecDevOps 2.0 would define policies, identities, and networks in a way that supports continuous delivery while maintaining security and compliance. Key elements include defining security policies in code, using machine identities at scale for access control, and implementing new tools like secrets as a service and software-defined firewalls. The overall goal is to make security controls more transparent and integrated with automation.
Mulesoft Meetup Roma - Monitoring Framework & DevOps.pptxAlfonso Martino
The document discusses DevOps practices for MuleSoft, including continuous integration/continuous delivery (CI/CD). It begins with an agenda that covers monitoring frameworks and DevOps fundamentals like CI/CD. For monitoring frameworks, it describes the Exchange Monitoring Framework tool and its key features. It then discusses CI/CD practices for MuleSoft, providing examples of CI/CD flows and pipelines using Anypoint Platform tools. The document concludes with a demonstration of configuring a Mule application for CI/CD using Maven and deploying to CloudHub.
This document provides an introduction to Azure DevOps. It discusses the goals of DevOps including accelerating time to market, adapting to market changes, and maintaining system stability. It also outlines some key aspects of adopting a DevOps culture. The document then describes several Azure DevOps services including Azure Boards for tracking work, Azure Repos for source control, Azure Pipelines for continuous integration and delivery, Azure Artifacts for package management, and Azure Test Plans for testing. It provides overviews and benefits of each service.
A proven path for migrating from clearcase to git and or subversionCollabNet
Open Source Software (OSS) offers compelling benefits, including affordability (TCO), security & stability, speed of innovation and flexibility. This especially is evident with OSS source code management (SCM) software such as Git and Subversion. In this Webinar we will provide a proven framework to guide your decision – when to move, and if OSS is the right answer.
We will present a proven path for migration from ClearCase or other proprietary SCM systems that has helped over 30,000 users to make the switch. This webinar will present an actionable strategy, covering the phases of discovery and planning, and a practical guide for the actual migration itself.
Topics Covered:
The pro’s and con’s of open source software for SCM
Git and Subversion– the leading enterprise SCM tools
TCO and other considerations for ClearCase migration
Key Takeaways:
The 3-step path: Discover, plan, migrate
Consideration for people and processes
Tools for migration and OSS management
Continuous Delivery: Fly the Friendly CI in Pivotal Cloud Foundry with ConcourseVMware Tanzu
This document provides an overview of continuous integration (CI) and continuous delivery (CD) using Concourse. It introduces Concourse and discusses why containers and pipelines are useful for CI/CD. It then demonstrates how to use Concourse in practice with examples and explains how to get started using Concourse for CI/CD workflows. The key aspects covered are Concourse's simple and scalable pipeline model using resources, tasks, and jobs, how containerization provides dependable and isolated executions, and how pipelines allow flexible yet efficient software testing and deployment.
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents.
Zero Buzzwords Guaranteed.
Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.
Microsoft Skills Bootcamp - The power of GitHub and AzureDavide Benvegnù
In this session, part of the Microsoft Skills Bootcamp, I go through Digital Transformation in the DevOps era, and how to use Azure DevOps and GitHub together to achieve that.
The document outlines the agenda for a CI/CD Pipelines using Azure Devops meetup. The agenda includes introductions, discussions on Continuous Integration/Continuous Delivery and Azure DevOps, a demonstration of implementing CI/CD pipelines using Azure DevOps, and a networking session. Continuous Integration/Continuous Delivery aims to merge code changes frequently and automate the entire software release process. Azure DevOps provides features like source code repositories, boards for planning work, pipelines for building and deploying applications, and tools for testing.
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...Harshana Martin
Sydney MuleSoft Meetup - 17th of August 2023
Practical Data Mesh: Building Decentralised Data Architectures with Event Stream & Anypoint DataGraph
Speakers:
- James Gollan | Manager of Enterprise Solutions Engineering, ANZ | Confluent
- Harshana Martin | Senior Success Architect | MuleSoft
Hosts/Moderators:
- Krishna Chaitanya Kamaraju | Senior Integration Manager | Capgemini
- Raquel Paez Ricciardo | Training Field Advisor | MuleSoft
- Harshana Martin | Senior Success Architect | MuleSoft
To be notified for all future events, please join the Sydney MuleSoft Meetup group at https://meetups.mulesoft.com/sydney/
Practical Data Mesh: Building Decentralized Data Architectures with Event StreamEva Mave Ng
Sydney MuleSoft Meetup - 17th August 2023
Practical Data Mesh: Building Decentralized Data Architectures with Event Stream
Speakers:
- James Gollan | Manager of Enterprise Solutions Engineering, ANZ | Confluent
- Harshana Martin | Senior Success Architect | Salesforce/MuleSoft
Hosts/Moderators:
- Krishna Chaitanya Kamaraju | Senior Integration Manager | Capgemini
- Raquel Paez Ricciardo | Training Field Advisor | Salesforce/MuleSoft
To be notified for all future events, please join the Sydney MuleSoft Meetup group at https://meetups.mulesoft.com/sydney/
The document discusses Microsoft Azure DevOps, a suite of tools that helps organizations implement DevOps practices. It provides an overview of the different tools in Azure DevOps, including Azure Boards for planning work, Azure Repos for source code management, Azure Pipelines for continuous integration and delivery, Azure Test Plans for testing, and Azure Artifacts for managing packages. It also discusses how Azure DevOps integrates with other Azure services to help organizations streamline development, deployment, operations, and monitoring processes.
Similar to How to build a self-documenting application (20)
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
At Conjur, we feel that the security aspects of Firewall, Application Auth, Networking, and Physical Infrastructure are well-understood and well-addressed in cloud.
DevOps speeds innovation and delivers business value through faster feature deployment and more stable application deployments which provide those businesses with DevOps methodologies in place a strong competitive edge.
However, there is a simple problem with DevOps that concerns the business.
To business people, coded infrastructure and DevOps workflows are magic. They can’t see it but it makes stuff happen. Stuff that is important to them, like delivering features faster, more stable applications and better uptime and scaling with the business.
Chris’ history with DevOps
IGM + Security
But that runs contrary to the goals of compliance, security and auditing which is to increase transparency around those applications and infrastructures that are considered vital and high-risk to the business. So at one level the business is asking you to go faster and do more with less, and the countervailing force is that there is a desire for transparency to protect the business.
Next slide = alignment and learning governance needs (relationships)
But when you can get the business and deveops to align, then everyone can wrap their minds around the new goal which is actually a reproducable process that is compliance and secure.
Learning governance stakeholders language, concerns, backgrounds, needs
A modular pipeline can have its parts swapped out at will. A robust security setup needs to be able to accommodate continuous pipeline improvements, swapping out modules as business and operation needs change
Demonstrate to your auditor that all code changes are checked, tested, tracked, and then released into production.
That you can create a complete history of the (recent) past and current structure of your entire environment.
Access controls for people and system accounts exist and are well documented, logged and auditable and that you have remediation plans in place in case of an “event”
Separation of Duties and Least Priviiege
* Your user management is tied directly to Chef
The Chef server loses some collaborative functions
Separation of Concerns
More complicated scenarios quickly become tangled
different rights for different environments, e.g., dev team can ssh into dev but not prod, but ops has both
hard to implement least privilege, for access to specific roles you have to set attributes directly on them
CRUD on users requires a cookbook update -> release cycle* separate Chef servers/orgs needed for each environment if you want to test your changes before hitting prod* Requires access to Chef server to test cookbooks dependent on user databags* Completely separate from how to manage secrets, have to write your own bridge
No report or audit
No single point of configuration - layers and layers of roles and attributes; default + override, etc
Enterprise directory integration
SSH access management is completely separate from secrets or app/service auth or anything else
chef-vault+IAM: http://sysadvent.blogspot.com/2013/12/day-19-automating-iam-credentials-with.html (Dec 2013)on chef-vault: http://jtimberman.housepub.org/blog/2013/09/10/managing-secrets-with-chef-vault/ (Sep 2013)
problems* until a Chef node completes its first run, it cannot use secrets (invisible to search until then)* you end up with unencrypted files in your repos that have to be gitignored - how are they shared or backed up?* you have to create ‘sets’ of secrets - for each new permutation you need a different set - a Chef node query is mapped to one set* admin setup is all or nothing - all users you select in your query can fetch/update/delete secrets* adding/removing hosts and users requires that the Chef query is re-run* how this works for development is unclear - gitignoring files, adding switches to cookbooks if using vagrant/kitchen, mocking out node attributes - this is a result of being completely dependent on Chef search
Noah’s overview: https://coderanger.net/chef-secrets/ (Aug 2014)Data bags vs resources: https://coderanger.net/data-bags/ (Feb 2014)
Chef Analytics
Separate from Chef Server so that allows for Chef Analytics to be managed and monitored outside the working Chef System
Write rules that trigger on events or event sequences of events
Send emails, log messages or AMQP messages based upon rules etc.
These are both very useful tools, but they are only part of a larger picture. Chef Analytics will tell you what has changed in Chef, but what about the compliance of your underlying infrastructure and applications?
Guardrail isn’t tied to Chef and covers everything changing on your server/instance but finding out who made a change requires reverse-engineering.
What’s missing?* Secrets management audit - who has access, who is fetching and updating? A clear view.
audit of permissions changes - eg temporary privilege escalation, changes to group membership* SSH logins/sudo calls
logout of the container is the first step…
Really get to know the compliance group
I had Gene Kim’s, “Visible Ops” books almost permanently on-hand and referred to them often.
Data bags & bootstrapping ← need to document
List every activity performed with the tool and declare the impact of the activity. This will dictate the rigor of the change control process.
List roles and responsibilities associated with Chef
e.g., Chef Manager, Chef Administrator, Customer
Provide specific classifications of impact (e.g., high, medium and low risk) with associated change tracking processes (e.g., file change control ticket)
HINT: Create a “maintenance” activity with a change tracking process of “none”
Example activities: “Create/Modify/Update Cookbooks in Chef Server” or “Bootstrap (add)/Remove Node”
Always look to manage scope and be aware of which systems are particularly sensitive (read: important) and which systems are managed by other groups
Declare which products and systems are “in scope”
Explicitly declare what is “out of scope”
Map high level features and activities to workflows and activities within your organization
Automated processes, where everything happens in a traceable and auditable manner (driven out of assets managed in source control) provide great flexibility and insulation within the change control process. You can declare, “change tickets must be filed for all medium risk updates unless performed via source control driven automation (list your org’s specifics).” Statements like the former within your documentation provide huge flexibility and leverage. As you update your automation and expand its scope, you should be able to file fewer and fewer change control tickets.
Validating Chef
Document how the product will be deployed within your organization
Describe
Incident and problem management. Hopefully, simply map this to pre-existing incident management documentation
Backup and restore management
Service and support
Leverage existing processes and documentation wherever possible. use whole, other processes completely or make only minor tweaks to existing tools and processes
Think creatively: Source control commit and accompanying data (e.g., message, diff and author) is a change control ticket or Chef cookbook is an installation document (that happens to be executable). Framing mechanisms in these terms allows you to map modern devops tools and processes on top of outdated change control and governance processes and documentation. It eases compliance group’s concerns because you are making incremental changes rather than throwing everything out and starting over